Over 130 mn Aadhaar numbers may have been leaked due to the govt.’s poor security policies: Report

A new research report has now pointed out that up to 135 million Aadhaar numbers may have been exposed. The research report which was first reported by The Wire points out that the central government and a state government may have exposed up to 135 million Aadhaar numbers due to bad information security practices.

We have been hearing about several Aadhaar data breaches in the past couple of months. According to Center for Internet and Society (CIS) that studied four government databases which were accessible through government portals, an estimated 130-135 million Aadhaar number and 100 million bank details may have been exposed due to the lack of security measures.

While the government’s objective behind providing these online dashboards, was to make the details more transparent and accessible to other government and trusted organisations, the security measures that were put in place, were outdated and could easily be bypassed without much effort.

Add to this a data download option on the NSAP website, that allows for downloads of massive chunks of data. “This feature allows download of beneficiary details mentioned above such as Beneficiary No., Name, Father’s / Husband’s Name, Age, Gender, Bank or Post Office Account No. for beneficiaries receiving disbursement via bank transfer and Aadhaar Numbers for each area, district and state,” the report states.

“While the details were masked for public view, someone with login access could get the details. When one of the url query parameters of website showing the masked personal details was modified from “nologin” to “login”, that is control access to login based pages were allowed providing unmasked details without the need for a password.” added the report.

Authors or the research Amber Sinha and Srinivas Kodali also pointed out that the Unique Identification Authority of India (UIDAI) takes little responsibility.

“While the UIDAI has been involved in proactively pushing for other databases to get seeded with Aadhaar numbers, they take little responsibility in ensuring the security and privacy of such data.With countless databases seeded with Aadhaar numbers, we would argue that it is extremely irresponsible on the part of the UIDAI, the sole governing body for this massive project, to turn a blind eye to the lack of standards prescribed for how other bodies shall deal with such data, such cases of massive public disclosures of this data, and the myriad ways in which it may used for mischief,”

The government schemes that hosted millions of Aadhaar number along with banking and financial details have been listed below.

The report further states that “it is staggering that while these databases have existed in the public domain for months, while framing the Aadhaar Act Regulations in late 2016, the UIDAI did not even deem these as important matters to be addressed by way of regulations or standards.” The authors also noted that in the process of completing the report, some of these websites had masked the pages with sensitive personally identifiable information (PII).